| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
| mq authorization through serverconn channel |
« View previous topic :: View next topic » |
| Author |
Message
|
| Vitor |
 Posted: Fri Aug 09, 2013 8:50 am Post subject: |
 |
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| kishi_25 wrote: |
| What's your thoughts on this? |
WMQ never does authentication. It only authorizes against the supplied id. As quite excellently laid out earlier:
| RogerLacroix wrote: |
The queue manager does NOT provide authentication - you must use a security exit.
1) If the MCAUSER is non-blank then the connection will use the UserID from the MCAUSER field and the authorization will be applied against it. (no authentication).
2) If the MCAUSER is blank and the client application has set a UserID then the connection will use the UserID from the client application and the authorization will be applied against it. (no authentication).
3) If the MCAUSER is blank and the client application has NOT set a UserID then the connection will use the queue manager's (MCA's) UserID and the authorization will be applied against it. (no authentication). This is the great big security hole that everyone should worry about. Basically, this means the client application gets full access to the queue manager because it is running under "mqm". |
You'll find a wealth of discussion in this forum on these points.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Fri Aug 09, 2013 9:00 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| hughson wrote: |
| For the record, CHLAUTHs were model on AUTHRECs, hence the SET command. |
For the record, I never had to use AUTHRECs, so I didn't really care that they were implemented in a poorly thought out manner.
It should have immediately thrown user experience flags when you realized you had to write "SET.... ACTION(DELETE)". That's like having to put your car in PARK and then flip a separate switch that says "REVERSE" in order to move backwards.
I don't see any good reason for using the pattern to match against as the name of the rule, either.
what's wrong with giving the rule a unique name?
Or is that not the onslaught you were looking for? |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Fri Aug 09, 2013 11:05 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| kishi_25 wrote: |
hi Roger/Burce,
If MCAUSEr is non-blank, I'm thinking authentication will be done by OS, ...
|
WMQ does not authenticate. Authentication means verifying identity with username, password, etc.. Authentication is done by the OS. WMQ does not authenticate.
If MCAUSER is non-blank, the MCAUSER value will be used as the identity of the MCA; and that value will be presented to OAM to determine if that value is authorized.
WMQ does not authenticate.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Fri Aug 09, 2013 12:10 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| exerk wrote: |
| Anybody else feel that IBM's use of the term CHANNEL AUTHENTICATION RECORD is further muddying the waters? |
Aaaaaaahhhhhhhhhhhhhhhhhhh. Don't get me started. 
I've complained before, that is a really bad name and it gives a false sense of security. They should have called it Channel Filter/Mapper/Resolver whatever but not authentication.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Fri Aug 09, 2013 12:21 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| kishi_25 wrote: |
Section 3.2.1 of
http://www.redbooks.ibm.com/redbooks/pdfs/sg248069.pdf
"The original design of WebSphere MQ was as a transport stack that was used by local programs. Since all connections to the queue manager originated locally, the identities in the operating system’s process table were the basis for authorization. WebSphere MQ did not
perform any authentication since any process requesting a connection must have been authenticated by the operating system. Queue manager connections that arrive over shared memory rather than the network are known as bindings mode connections. Current versions
of WebSphere MQ continue to support bindings mode connections and these connections rely on the local operating system’s process ID for authentication and identity"
What's your thoughts on this? |
I have had some very strong discussion with the authors about the use of the term "authentication" in this red book. For the record, I still disagree. (I do not agree that filtering == authentication)
That particular paragraph is ok and true. It is saying that if you were to run amqsget (not amqsgetc), you would have had to log onto the server (i.e. via PuTTY) and amqsget runs in bindings mode. Hence, the queue manager is trusting that a logged on user has been authenticated against the OS. But even then, on Windows you could do a "run as" (sudo on Unix) to another UserID and then run amqsget which then breaks the trust MQ is relying on.
Of course, none of this is applicable to client mode connections which was your original question about setting MCAUSER.
Getting security correct in MQ is non trivial.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
| exerk |
| Posted: Fri Aug 09, 2013 12:40 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| RogerLacroix wrote: |
| exerk wrote: |
| Anybody else feel that IBM's use of the term CHANNEL AUTHENTICATION RECORD is further muddying the waters? |
Aaaaaaahhhhhhhhhhhhhhhhhhh. Don't get me started.
I've complained before, that is a really bad name and it gives a false sense of security. They should have called it Channel Filter/Mapper/Resolver whatever but not authentication.
Regards,
Roger Lacroix
Capitalware Inc. |
And so the ripples move ever outward... 
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
